[ssh_x509] pkixssh-8.0b0 and ECDSA public key algorithm for SSH (RFC 6187)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Feb 14 00:17:21 EET 2014


Hi Roumen,

You are correct that above error is not related to ECC, i am getting same
errror with RSA certs as well

Following is my config:

Server:

Port 22
ListenAddress 0.0.0.0
Protocol 2
HostKey /root/rsa/server-x509.pem
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
AllowedCertPurpose sslclient
KeyAllowSelfIssued no
CACertificateFile /root/rsa/CA.pem
VAType ocspspec
VAOCSPResponderURL
http://internal-ocsp.dev.confidential.net:8080/ejbca/publicweb/status/ocsp
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/local/libexec/sftp-server
[13-02-2014 17:01:07] Mudassir Aftab: Client:
HostKey /root/rsa/client.key
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
AllowedCertPurpose sslclient
KeyAllowSelfIssued no

CACertificateFile /root/rsa/CA.pem
VAType ocspspec
VAOCSPResponderURL
http://internal-ocsp.dev.confidential.net:8080/ejbca/publicweb/status/ocsp
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/local/libexec/sftp-serve


Authorize File on server:
#x509v3-sign-rsa subject=
O=confidential,OU=admin,CN=sshclient,emailAddress=sshclient at confidential.com.ab



On Sun, Feb 9, 2014 at 2:41 AM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Mudassir
>
> Now I have time to process my mail box.
>
>
> ssh_x509 at roumenpetrov.info wrote:
>
>> Hi Roumen,
>>
>> Many thanks for  writing ECC X509 beta patch and prompt reply.  I am
>> getting following error
>>
>> ssh_x509store_cb:
>> subject='CN=ssh-x509.confidential.net,OU=admin,O=confidential',
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
>> certificate'
>> key_verify failed for server_host_key
>>
> I'm not sure that error is related to ECC support .
> At least root certificate must be located in CACertificateFile or
> CACertificatePath.
> Note User... configuration in addtion for client.
>
>
>
>  Also its seems that patches are already applied in pkixssh-8.0b0, please
>> correct me if i am wrong. Also find detailed logs and config in attached
>> file.
>>
> Yes,
>
>  Regards,
>> Mudassir Aftab
>>
>
>
> Roumen
>
>
> --
> Get X.509 certificates support in OpenSSH:
> http://roumenpetrov.info/openssh/
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list